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SECURE ATM-BASED DISTRIBUTED VIRTUAL TANDEM SWITCHING 

SYSTEM AND METHOD 

CROSS-REFERENCE TO RELATED ^ 
This application claims the benefit of U.S. Patent Application No. 09/705,793 which is 
a continuation-in-part of pending U.S. Patent Application No: 09/534,3 08 • filed March 23, 2000, 
in the names of Haifeng BI et al^ entitled "ATM-Fault Toleraiit ATM-based Distribute*! Virtual 
Tandem Switching System and Method," which is a cbhtkiuation^in-part of U.S. Patent 
Application No. 09/287,092, filed April 7, 1999 which is nbwUS. Patent No. 6,169,735, to 
George C. ALLEN Jr. et al., entitled "ATM-based Distributed Virtual Tandem Switching 
System," which claims the benefit of U.S. Provisional Patent Application No. 60/083,640 filed 
on April 30, 1998, entitled "ATM-Based Distributed Virtual Tandem Switching System" to 
ALLEN et al;, the disclosures ofwhich are expressly incorporated herein by reference in their 
entireties. 

PACKGRQUNDQFTHE INVENTION 

1. Field of the Invention 
The present invention relates to the field of telecommunications. More particularly, the 

present invention relates to secure asjoichronous transfer mode (ATM)-based 
telecommunications networks. 

2. gackgTQun^ InfQTO^tiQn - J : 

In current time ^ division multiplexed (TPM)-b^ed telecoiiimxmications networks, 
signaling messages for managing telephone calls are carried on a network different from a 
network carrying the telephone conversations themselves. ; M fact, the control network, which 
carries the messages that establish and tear down connections, is physically separate from the . 
bearer network, which carries the customer, or bearer traffic, In other words, control and bearer 
traffic are segregated. One reason for the segregation is to prevent unauthorized access to voice 
connections. Control traffic in the typical voice network will be referred to as narrowband 
control traffic, in contrast to ATM control traffic. 

A new voice trunldng system using AT^ technology has been p^ in U.S. Patent 
Application No! 09/287,092, entitled' "ATM-Based Distributed Virtual Tandem Switching 
System." The architecture represents a new p^adigm of networking that requires re-thinking 
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network security. In this system, shown id Fig, 1, voice trunks from end oflBce switches 16, 18 
are converted to ATM cell streams by a first or second trunk inter- working Action (T-IWF) 
device 10. the T-IWFs 10 are distributed to each end office 16, 18, and are controlled by a 
centralized ajntrol and signaling inter-working fiuiction (CS-IWF) device 12. The CS-IWF 12 
performs call control functipns as \vell as conversion between the narrowband Signaling System 
No. 7 (SS7) protocol and a broadband signaling protocol. The T^rWFs 10^ CS-IWF 12 , and an 
ATM network 14 of ATM switches form the ATM-based distributed vi^^ switching 
system. According to this voice trunking over ATM (VTOA) architecture, trunks are ho longer 
statistically provisioned as DSO time slots. Instead, the trunks are realized through dynamically 
established switched virtual connections (SVCs), thus eliminating the need to provision separate 
trunk groups to different destinations, as done in TDM-based trunking networks. 

In the VTOA architecture, narrowband control and bearer traffic are still segregated. 
ATM control and bearer traffic, however, are not carried oh distinct, physically separate 
networks. That is, signaling messages that control switched virtual connections (SVCs) traverse 
the same communications links as the bearer traffic carried by ^ new security 

risks are present. For example, unauthorized access to the ATM SVCs should be prevented, just 
as unauthorized access to voice connections ih currently prevented. 

Moreover, in complex midti-seryice multi-c^er networks, additional security 
requirements are required. For example, interception and nialicious alteration or replay of 
sensitive operations, adininistratibn, and maintenance (OAM) and control messages shouldbe 
' prevented. 

Consequently, current security practices and infrastructures must be adapted to make 
certain that deployments of this new architecture are as secure as the existing TDM voice 
network. ■■ 

BRIEF DESCRIPTION OF THE DRAWINGS 
The present invention is further described in the detailed description that follows, by 
reference to the noted plurality of drawings by way of nomliiniting exampleis of embodiments 
of the present invention^ in which like reference numerals represent similar parts throughout 
several views of the drawings, arid in which: : 
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Fig. 1 shows a known virtual trunking over ATM telecommunications network 
architecture; 

Fig. 2 shows traffic types that are excluded from the ATM network, according to one 
aspect of the present invention; 
5 Fig. 3 shows traffic types that are allowed to traverse the ATM network, according to 

: another aspect of the present invention; and 

Fig. 4 shows an exemplary network including a VTOA closed user group and non-VTOA 



3 



WO 02/37779 



Page 6 of 34 



WO 02/37779 r ^CT/CSOl/42922 

. DETAILED DESCRIPtlON OF imi^S^SJ^^^QD^^m 

In view of the foregoing, the present invention is directed to prodding security in the 
VTOA system. The present invention prescribes security measures to prevent unauthorized 
access to ATM SVCsv More specifically, the types of traffic present in the WOA arcMtecture 
5 are categorized and requirements concerning the manner in which VTOA traffic may be 
transported across the ATM distributed switching fabric are presented 

According to an embodiment of the present invention, a telecommunications network is 
provided that carries control traffic and bearer traffic via ATM communications channels and 
TDM communications channels. The Mecoinmunications network includes ATM switches and 

10 an ATM element management system that manages an ATM switching network formed by the 
ATM switches The network also includes at least one closed User group consisting of multiple 
closed user group members. The closed user group members include trunk interworking 
function (T-IWF) devices configured to receive end office voice trunks from TDM channels and 
convert the trunks to ATM cell streams and to receive ATNl cell streams and convert the ATM 

15 cell streams to end office voice trunks; and at least one centralized control and signaling 
interworking function (CS-IWF) device. The CS-IWF device performs call control functions and 
interfaces narrowband arid broadband signaling for call processing and control within the ATM 
switching network. The closed user group members also include a VTOA switch management 
; system (SMS). Other elements of the network include end office switches that communicate 

20 with the trunk interworking function (T-IWF) devices arid thei at least one centralized control and 
signaling interworking function (CS-IWF) device via TDM communications channels. Thus, the 
closed user group members are restricted to communicating solely with other closed user group 
members when coinmunicating to each other via the ATM swtching network. 

According to another aspect of the invention, a method is provided for controlling bearer 

25 traffic and control traffic traveling through ATM communication channels and TE>M 
communication channels in a communications network. The network includes at feast one closed 
user group consisting of trunk interworking function (T-IWF) devices that receive end office 
voice trunks from TDM channels and convert the trunks to ATM cell streams and receive ATM 
cell streams arid convert the ATM cell streams to end office voice trunks. .The closed user 

30 group also includes at least one centralized control and signaling interworking function (CS- 
IWF) . device that performs call control functions and interfaces narrowband and broadband 
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signaling for call processing and control within the ATM switching network. Finally, the closed 
user group includes a VTOA switch management system (SMS); The network also includes 
ATM switches and an ATM element management system that manages an ATM switching 
network formed by the: ATM switches. The method includes transmitting signals via the ATM 
5 switching network between closed user group members, and rej epting signals received via the 
ATM switching network that drigmate from non-closed user group member The method 
i: may also i^ denying all control and signaling access requests to tachtion^ voice network^; 
elements that are received through the ATM switching network. 

The present invention is directed to ATM specific security requirements for the voice 

10 truriking over ATM (VTOA) application. Some of these requiremerits must be implemented at 
initial VTOA deployment. Supplemental requirements are also provided. The supplemental 
requirements are designed to provide adequate protection against additional security risks that 
are introduced when a multi-service ATM infrastructure that switches inter-carrier voice traffic 
is present. While highly desirable from the outset, adherence to these supplemental requirements 

15 should be considered in light of network performance. 

The ATM tandem replacement architecture is represented schematically in Figure 1. The 
T-IWF 10, CS-IWF 12, and ATM switching network 14 represent the ATM-based virtual tandem 
switch. The functionality of the virtual tandem is split into trunk interworking function (T-IWF) 
10 and control and signaling interword 12 components. 

20 The CS-IWF 12 bridges between narrowband and broadband signaling* and in tiro, : V.' 

provides call set up and tear down instructions to the T-IWFs 10. For example, the narrowband 
signaling may be in the form of SS7 ISUP (integrated services digital network user part) 
messages, and the broadband signaling may be standard-based broadband signaling, for example* 
.ATM UNI (user netv/qrk Mterface) or PNNI (private network-to-network inter&ce) - Exemplary 

25. CS-IWF units include the Connection Gateway from Lucent Technologies Inc, and the 
Succession Call Server, from Nortel Networks Corporation. 

In one embodiment, the CS-IWF 12 is a CS-IWF complex 120 including multiple CS- 
IWF units 12. In this embodiment, each CS-IWF unit 12 must be highly reliable. To achieve 
this objective, redundant processors are provided within each CS-IWF 12 for protection against 

30 processor Mure. The redundant processors may operate in an active/standby mode or in a load 
sharing mode. 
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Each CS-IWF complex 120 must contain spare capacity for protection, the specific 
architecture of the CS-IWF complex 120 dictates the spare processing capacity required. For 
example, in a complex where n = 2, if one CS-IWF 12 fails, the remaining CS-IWF 12 must be 
able to handle the load of the CS-IWF 12 that failed. If three CS-IWFs 12 are provided, any two 
remaining CS-IWFs 12 should Be able to handle the loadofthe failed CS-IWF 12. Thus, a CS- 
IWF complex 120 must contain at least two CS-IWF units 12. In general, ina CS-IWF complex 
120 of ft units, up iok (k k 1) out of the n CSrTWF units 12 must be provided for the purpose of 
protection. The objective is that the loss of one CS-IWF 12 unit has no impact on the call 
handling capacity of the CS-IWF complex 120 as a whole.; In the active/standby mode, tz -fc CS- 
IWFs 12 are active, and A: operate in standby mode. In the load-sharing mode, all n CS-IWFs 12 
run at levels less than maximum such that if one of the CS-IWFs 12 should fail, its processing 
load can be absorbed by the remaining CS-IWFs 12. 

The T-IWFs 10 set up and tear down the bearer connections across the ATM switching 
network 14 and perform the necessary TDM to ATM and ATM to TDM conversions at the 
endpoints ofthese ATM bearer connections. Exemplary T-IWFs mclMe the 7R/E Trunk Access 
Gateway, from Lucent Technologies Inc.; and the Succession Mi^ti-service Gateway 4000 (MG 
4000), from Nortel Network Coloration. 

Exemplary ATM switches (in the ATM switching network 14) include the 7470 MSP and 
7670 RSP, both manufectured by Alcatel Canada Inc.; the GX 550 Smart Core ATM Switch, 
manufactured by Lucent Technologies Inc.; and the Passport 15000 Multiservice Switch, 
manufactured by Nortel Networks Corporation. 

Figure 1 also shows an originating end office switch 1 6, a terminating end office switch 
iS, and a signaling tainsfer point (STP) 20. Exemplary switches include class 5 switches such 
as: the Lucent Technologies Inc. 1AESS; the Lucent Technologies Iric. 5ESS; the Ericsson AXE- •■' ■ 
10; and the Northern Telecom 

Figure 1 does not represent the virtual tandem switching system at the ultimate level of 
detail. To keep the diagram uncluttered, additional components, such as additional CS-IWFs, 
element management systems arid operation support systems have been omitted from the 
diagram. These components appear in subsequent figures where: appropriate. For example, a 
switch management system (SMS) unit 22 is discussed with reference to Figures 2 and 3. The 
SMS 22 is the element layer manager of the ATM-based virtual tandem. The SMS 22 
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communicates with the T-IWFs 10 and the CS-IWF 12, and the legacy operation support systems 
(OSS) 24. Essentially, the SMS 22 controls management of the distributed switch and acts as 
a man-machine interface enabling a human user to view and control the overall behavior of the 
VTOA- According to one embodiment, the SMS 22 communicates with other network 
management systems involved in the virtual tandem, such as the operation support system 24 of 
the AIM n^ office or in a data center. 

Exemplary SMSs 22 include the bneLink Manager, from Lucent. Technologies Inc., and the 
Succession Network Manager, from Nortel Networks Corporation. 

Call control connections and bearer connections appear in both the TDM and ATM 
domains, although bearer and control are not carefully distinguished on the ATM side in Figure 
1 . These distinctions will be made clear in subsequent figures. It is noted that interexhange 
(IXC) traffic may be handed off as TDM or ATM streams. Both possibilities are represented in 
Figure 1. Note that only the bearer connections, and not control connections, are shown in Figure 
1. ; . 

In the present specification, the term "network elemenf* refers to any of the VTOA 
components (e.g., T-IWF 10, CS-IWF 12, SMS 22); the ATM switches internal to the VTOA 
system; and the components of the current TDM-based voice network (e.g., Class 5 Switches 16; 
18, STP 20). VTOA network element refers to any of the VTOA components such as the T-IWF 
10, CS-IWF i2, and SMS 22. ; 

An element management system (EMS) 26 is a system provided by a network element 
vendor for the purpose of managing that vendor 's network elements. Specific examples are the 
ATM element management system 26 used for the ATM network elements, and the switch 
management system (SMS) 22 used for the VTOA network elements. Thd AIM network 14 
refers collectively to the ATM switches internal to VTOA and their element management system 
26. An exemplary ATM EMS is the NavisCore Multiservice Element Manager, available from 
Lucent Technologies, Inc. 

Operations support systems (OSSs) 24 are management systems that are not packaged 
with specific vendors' network elements. OSSs communicate with element management systems 
to extract higher-level information. 

The types of traffic present in the distributed tandem architecture are now discussed The 
distributed tandem architecture is very different from the TDM-based network arciutecture. As 
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discussed above, one major distinction is that in the distributed tandem architecture, ATM bearer 
channels are allocated using in-band signaling. Thus, multiple types of traffic need to be 
accounted for in the ATM network as well as in the TDM-based portion of the network. The 
traffic types include voice traffic, control traffic, and OA&M traffic. According to the present 
invention, there are two types of requirements, namely requirements that exclude some types of 
traffic from traversing the ATM network, and requirements designed to protect the integrity of 
traffic that does traverse the ATM switching network. 

Traffic types excluded from traveling through the ATM network are now discussed with 
reference to Figure 2. 

Voice traffic is earned on TDM bearer channels 1. These bearer channels 1 extend from 
the customer premises (not shown) and through the Class 5 switch 16 to the tnmk^interworldng 
function (T-IWF) 10. By definition, these bearer channels 1 are not transporteid via the ATM 
network 14. 

TDM control and OA&M traffic is segregated from ATM control and OA&M traffic. 
The physical security afforded by out-of-band signaling makes the current TDM-based voice 
network resistant to /fraudulent use and malicious attacks. To retain these s^uiit^ benefits, 
certain traffic types can not be carried across the ATM network 14. For example, according to 
the invention, SS7 message traffic; and OA&M message traffic between traditional voice 
network elements and their EMSs 28 are not permitted to travel through the ATM switching 
network 14. Consequently, the VTOA network elements 10, 12, 22 deny all control and 
signaling access requests to traditional voice network elements that are received through the : 
ATM network 14. Thus, the control signaling for the TDM network is restricted to and occurs 
only via the SS7 network When such an access attempt is denied, an alarm is sent to the SMS 
22 with a detailed description. The SMS 22 displays an appropriate alarm and logs the event. 

Rather than via the ATM switching network 14, Signaling System No. 7 (SS7) ISUP 
messages are carried on A links 2a between Glass 5 switches 16, 18 and the STP 20, and on A 
links 2a between STP 20 and CS-IWF 12. SS7 ISUP messages can alternatively be carried on 
F links 2b between Class 5 switches 16, 18 and tlie CS-IWF 12. A links 2a and F links 2b for : 
SS7 ISUP messages are not mutually exclusive: both can appear in the same implementation. 
It is noted that STP ATM interfaces have now been standardized. Thus, when such interfaces 
are deployed, the associated requirement will reflect the standards. 
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Rather than via the ATM switching network 14, OA&M messages travel between 
traditional TDM voice network elements, e.g., end office 1 8, and their element management 
systems 28 as depicted by in independent link 3a. It is noted that althpugh only a single element 
management system (28) is shown communicating with a single TDM voice network element 
■ ■ (e.g., 18) in Figure 2, additional communications occur. OA&M messages also travel between 
; all element management systems (including the ATM' EMS 26 and the VTOA SMS 22) and all 
.V: ; OSSs 24, as depicted by lines 3b, In all cases, however, traffic between EMSs and OSSs is not 
carried through the ATM switching network 14. 

The types of traffic allowed to travel through the ATM network are now discussed with 
reference to Figure 3. 

Voice traffic is carried on ATM bearer channels 4. These bearer channels 4 extend 
through the ATM switching network 14 from ingress T-IWF 10 to egress T-IWF 10, and from 
a T-IWF 10 via the ATM switching network 14 to an interexchange carrier (IXC) network. 

Control traffic 5a travels between CS-IWF 12 and T-IWF 10. Control traffic 5b travels 
between distant portions of the CS-IWF 12. As discussed above and shown in Figure 3, the 
functions of the CS-IWF 12 are not all implemented in the same network element In either case, 
this traffic 5a, 5b may travel in-band across the ATM switching network 14 or out-of-band (e.g., 
on WAN connections, or, in the case of co-located VTOA network elements, on intra-office 
LAN connections). The LAN/WAN is a high security network. Ifi^ securi clearance is 
required for access into the LAN/WAN. When this traffic is inter officb, the traffic 5a, 5b is 
carried in-band across the ATM network. Control traffic that travels between^ 
or between a CS-IWF 12 and a T-IWF 10 can be further categorized into messages for call; 
control and "higher level" messages that are not associated mth specific bearer channels but 
instead affect the overall workings of the ATM distributed tandem switching system. 

ATMt SVC signaling messages 6 (e.g., SETUP and RELEASE) manage bearer 
connections across the ATM switching network 14. These ATM SVC signaling messages 6 
clearly travel in-band through the ATM switching network 14. Typical ATM SVC signaling 
messages 6 may travel between two T-IWFs 10, or between CS-IWF components 12 if the CS- 
IWF proxies" for the T-IWFs. That is, when the T-IWF 10 does not have signaling intelligence, 
the CS-IWF 12 signals to the T-IWF 10, which simply passes the signaling onto the ATM 
network 14. In such a case, other pieces of equipment "believe" : that the TtIWF 10 is signaling. 
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OA&M messages 7a travel between VTOA network elements and . their switch 
management systems (SMSs) 22. OA&M messages 7b also travel between ATM switches 30 
(although only one ATM switch 30 is shown iri Figure 3, the network typically includes more 
than one switch) arid their element management systems^ These OA&M messages may travel 
5 across the ATM network or qut-bf-band (e.g., on WAN connectioris, or, in the case ofco-located 
VTOA network elements, on intra-office LAN connections), In instances where this traffic is 
inter-office, this traffic 7a, 7b is carried across the ATM switching network 14. One type of 
" traffic in this category merits special consideration: commands and data with the potential to take 
a VTOA or ATM network element out of service, or to extinguish a large number of call requests 

10 or stable calls. A particular example is a software upgrade and attendant control messages (e.g., 
carrying installation instructions). As vendors work to simplify the process of upgrading 
software to new releases, they may arrange for new software loads to be transported to the 
intended ATM and/or VTOA network elements yia the ATM switching network 14 from 
centralized point(s) . It is clearly advantageous to protect the integrity of these downloads to the 

; 15 • greatest extent possible, for example, by employing key based services (i.e., autheriticatipn). 

Although not shown in Figure 3, an ATM connection between the STP 20 arid the CS- : 
IWF 12 is a possible implementation option, especially when IP interfaces available on STPs : 
iO. In this case, IP-adapted SS7 traffic may be allowed to traverse the ATM network. 

In a baseline embodiment, traffic that traverses the Al^ network is controlled, primarily 

20 by the use of closed user groups (CUGs). Closed user group (CUG) refers to an access control : 
mechanism. Closed user groups are typically used to eriable and disable Switched Vlrtol Circuit 
(SVQ corinectibns to and from designated groups of subscribers. Tiiat is, closed user groups are 
used to control end systems' privileges vis-&-vis SVC services. The ATM Forum's efforts to 
standardize closed user groups have hot been completed. Thus, ATM vendors typically base 

25 their closed user groups implementations on ITU-T Recommendation Q.2955.1, "Stage 3 
Description for Community of Interest Supplementary Services Using B-ISDN DSS 2: Closed 
User Group (CUG)," June 1997, the disclosure of which is expressly incorporated by reference 
herein in its entiretyi According to the present embodiirient, cloised user groins are established 
and maintained from the ATM EMS 26. Thus, closed user groups should be transparent to the 

30 VTOA network elemeitfs. In particular, closed user group IDs and interlock codes are assigned 
and maintained by the ATM EMS 26. 

. . ; : ' io . . !: : rV ' : ■ ; 
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Closed user group service provides a way to group i^CTS and to restrict access to and from 
. users based on closed user group membership status. A given user can be a member of more 
than one closed user group. 

Typically, members of the same closed user group can call each other but cannot call non- 
5 closed user group users (whether the latter are members of different closed user groups or of no 
closed user groups at all). However, other configuration options are available. "Incoming 
.!: Access y \ dR& u OutgoingA^ closed user group coiifiguratipn parameters that can be used 

to allow communication with users outside one's own closed user group. 

Closed user groups are implemented via information elements (IEs) that are appended 
10 to, and travel with, callsetup requests. Therefore, when closed user group service is added to 
a network, the signaling flows for call setups (specifically ATM SVC setups) do riot change. If 
a call setup request is rejected for a closed user group-related reason, the cause code in the 
; rejection message will indicate this fact. This enlargement of the set of possible failure cause 
codes and the piggybacking of closed user group infonnation elements on messages would 
15 usually be the only changes to signaling that would become necessary with the addition of closed 
user group service. For more information about closed user groups, see chapter 15 of 
: <c NavisCore ATM Configuration Guide," available from Lucent Technologies, Inc., the 
disclosure ofwhich is expressly incorporated by reference herein in its entirety. 

In one embodiment of the invention, all VTOA network elements are grouped into one 
20 : of more closed user groups as a configuration option implemented via the ATM EMS 26, These 
' closed user groups contain no non-VTO A network elements. Thus, it is not necessary to involve 
the VTOA SMS 22 in the provisioning or maintenance of closed user groups; More than one 
closed user group will exist when the number of VTOA network elements exceeds a limit 
imposed on the number of elements allowed in each closed user group; The ATM switches and 
25 the ATM element management system (EMS) are riot inembefs of the closed user group per se. 
Rather, the ATM switches enforce the SVC access restrictions that are put in place by the closed 
user group features of the ATM element management system. 

With respect to protecting the integrity of critical traffic, it is advantageous that theATM 
switch network prevents all attempts by nori-VTOA network elerherits to masquerade as VTOA 
30 network elements via address spoofing in signaling messages (e.g., by performing source address 
verification at the UNI). Specifically, whenever an ATM switch receives a UNI SETUP message 
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from an end system, the switch verifies that any ATM End System Address contained in the 
calling party number or calling party subaddress information element is consistent with the 
physical port/UNI or : yiifaal UNI to which the end system is attached to that ATM switch. 
Moreover, no default identifier, address, route, etc. is provisibhed. The identification by switch 
5 ports/UNIs is intended to prevent "address spoofing", i.e., attempts to access VTOA network 
elements from non-VTOA networks elements by inserting fiiiidulent data into the calling party 
number Mormation elements of UNI SETUP messages. For example, "spoofing is illustrated 
by the case when a non-VTOA network element attached tp l^ pretends to be at UNI B, 
where a VTOA network element is attached, by iraertingUNI A identification infonnation in 

10 the setup message. This identification requirement seeks to prevent such spoofing. 

The identification requirement can be satisfied as follows: For each SETUP message 
received by an ATM switch from the subscriber side of an attached UNI, the calling party 
number information element is validated against the network prefix assigned to that UNI. In this 
respect, it should be noted that an ATM End System Address (AESA) consists of a network 

15 prefix, an End System Identifier (ESI), and a 1-byte selector (SEL) field. These three fields db 
not overlap. The network prefix portion of the A^S A is typically identical! for all end systems 
attached to the same User-to-Network Interface (1^ the NavisCore management system 
for the Lucent GX550 ATM Switch, validating against the network prefix is called "Soxirce 
Address Validation." It is noted that there may be more than closed user group member at any 

20 given UNI. For example, a tarak interworking function may have multiple ports, and these ports 
may have different ATM end system addresses. 

The ATM EMS 26 establishes membership lists for all closed user groups. Only members 

: ; : ; of the same closed user group are permitted to communicate with each other across the ATM 
network 14. "Incoming Access? and "Outgoing Access" are disabted for each VTOA network 

25 element. 

Only the administrator can create or edit closed user group membership lists. Moreover, 
the list may only be created and edited through the ATM EMS 26. Multiple lists are supported 
: for quick reconfiguration of groups, or backups. Redundancy is the main issue in that for 
suxyiyability purposes, closed iiser group membership list(s) must be inaintained at physically 
30 separate ideations. If either members of the closed user groups or network elements are 
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geographically diverse, synchronized copies of the same closed user g^up membership list can 

be guaranteed by sufficient redundancy. 

Attempts to communicate with or access a VTQA network element via the ATM 

network 14 by a source not matched on the closed user group list shall be denied. In particular, 

5 VTOA network elements should not be provisioned in a way that allows them to be accessed 

from outside the closed user group via Anycast addresses. 

When an attempt to communicate with or access a VTOA network Element is denied* the 

denying ATM network element (switch or other element in the ATM network) sends an ^arin 

to the ATM EMS 26 , including a detailed description. The ATM EMS 26 also displays an 

10 appropriate alarm and logs the event 

Thus, according to the present invention, one or more closed user groups are implemented 

in away that denies any attempt to set up a Switched Virtual Circuit (SVG) between a VTOA 

Network Element and a non-VTO A Network Element Figure 4 show an example of a closed 

user group implementation. In Figure 4; ATM End System Addresses (AES As) are represented 

15 schematically by labels of the form A.x.y and B.w.z. In Figure 4,; the leflinost portion of the 

AESA (schematic^ly, the first character) identifies the ATNI switch to wMch 4e end system is : 

attached. Note that the second cha^tCT in the exanqjle serves to delm^ and ; • ■ 

: non-VTO A network elements. 

. :' A sample VTOA closed user group membership list is shown below. 

■20-/ ATM End System Address IAES AV • 

' . A.2.* . 
. B.2.* 

The character functions as a wildcard, indicating that any AESA beginning with A.2 
or B.2 represents a member of the closed user group. 

25 In Figure 4, VTOA network elements A.ll, A.2.2 and B.2. 1 form a closed user group. 

Non-VTO A network elements A. 1.1 and B. 1.1 do not belong to this closed user group. When 
a new VTOA network element is attached to switch A, it will be assigned an AESA beginning 
with A.2 (such as A.2.3). When a new Non-VTO A network element is introduced, the Non- 
VTOA network elements must be assigned AESAs that fail to match the prefixes A.2: and B;2. 

30 Although the example described with reference to Figure 4 shows one in^lementatibh^^;^^ 
implementation details will vary depending on tjie AESA administration plan. 
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Sample access settings for VTOA closed user group members are shown in Table 1 

below. 





Communicating with Other 
Members of the VTOA jCUG 


Communicating with Network 
Elements _ Ol|^t« ill* ,: Vir6^': 
CUG 


aesa 


Incoming 
Galls Barred 

am 


Outgoing Calls 
Barred (OCB) 


Incoming 
Access 0A) 


Outgoing 
Access (OA) 


A.2.* 


Disabled 


Disabled 


Disabled 


Disabled 


B.2.* 


Disabled 


Disabled 


Disabled 


Disabled 



/ TABLE 1 

According to thelCB and OCB settings shown in Table 1, attempts to communicate within the 
VTOA CUG will not be denied based on closed user group considerations. According to the 
"Incoming Access 9 ' and "Outgoing ^cestf' settings shown in Table 1 , attempts to set up calls 
between members (of the VTO A closed user group) and non-members will be denied, regardless 
of whether a member tries to call a non-member or a noil-member tries to c^amemter. 

: It is noted that each closed user group member includes configuration information, such 
as the parameters shown in Table 1. that is, the closed user group information elements do hot 
carry the access privilege information. Rather, the ATM switches keep track of this infprmation 
(as configured by the ATM EMS) and enforce any configured access restrictions. 

Further, in a baseline embodiment traffic that traverses the ATM network is policed. 
Policing tjpic^ly arises in the context of traffic management; however, in the described 
embodiment, policing plays a role in VTOA security as a last line of defense against malicious 
overloading. 

The ATM network employs per virtual channel (VC) traffic pohcing on control/signaling 
VCs in order to prevent malicious overloading of the control sy $tem, or potential voice toll fraud 
such as carrying user traffic in a control connection. 

The ATM iiietw^rk also employs per VC traffic policing on VCs carrying user data in order to 
prevent malicious overloading of the network Such policing may include limiting the volume 
of traffic by counting cells per time period. 
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Usage parameter control (UPC) can be used to insure that all sources comply with their 
traffic contracts. Details about traffic contacts arid UPC can be found in traffic Management 
Specification, Version 4.0," ATM Forum Technical Committee Document af-tm-0056-000, April 
1996, the disclosure bf which is expressly incorporated by reference herein in its entirety. 

A baseline embodiment implements UPC in a VTOA environment. In the VTOA 
architecture, the essential ATM traffic categories are constant bit rate (CBR) and variable bit rate 
(VBR). For any traffic source of this type, compliance with the traffic contract is unambiguously 
defined in terms of the Generic Cell Rate Algorithm (GCRA). The UPC function can discard 
non-compliant cells at the Ulsfl, or 

tag non-compliant cells (by setting the cell loss priority bit to 1) for potential discard at network 
congestion points* ; 

• In an alternate embodiment, for example, in the case of a multi-service network, 
unspecified bit rate (UBR) and/or available bit rate (ABR) ATM traffic may also be present. 
Traffic contract compliance for UBR sources can also be defined in terms of the GCRA. For 
ABR sources, the definition of traffic-contract compliance can vary from network to network, 
but UPC must be implemented in such a way that compliant traffic sources {of any category) are 
unaffected by non-compliant sources. 

In other embodiments, ATM traffic is further controlled, Such control is enqrioyed when 
inter-carrier connections exist, and/or when multi-service dimensions to VTOA deployments 
exist, and/or when standards-based signaling between CS-IWF arid T-IWF components occurs, 
and/or when networks are not dependent on out-of-band SS7 signaling to connect end users to 
ATM bearer channels, but can instead complete end-to-end calls entirely via in-band signaling 
over the ATM network These additional requirements are aimed at restricting the flow: of 
informatibn (such as information about the local carrier' s -as opposed to another carrier's^ 
network topology) to other carriers' networks, and at denying attempts to control VTOA network 
elements from points outside the local carrier's network. It is noted that although the term "local 
carrier" is; being used, local carrier is not intended to limit the network to a network solely 
serving intraLATA calls. Rather, local carrier is used to indicate the carrier operating the VTOA 
system. 

When the local carrier enters into agreenient(s) to hand off calls to other carriers as ATM 
streams* additional requirements are imposed to maintain appropriate network security. Note that 
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these requirements are not purely ATM-specific, in particular, the VTOA SMS 22 capabilities 
are affected as well. 

At the call control level, the SMS 22 and/or ATM EMS 26 support the creation and 
editing of a list identifying CS-IWFs in other networks with communications permissions. 
5 Consequratly, attempts made by unauthorized sources will be rejected, with an alarm and 
detailed message sent to the SMS 22. This requirement may be fulfilled by setting up inter- 
carrier closed user groups via ATM EMS s 26, or via an equivalent mechanism implemented in 
the SMS 22. Those skilled in the art will recognize mechanisms implemented in the SMS 22 that 
are equivalent to the intercarrier closed user groups via the ATM EMS 26. 
10 In this embodiment, messages froni CS-IWFs in other networks, other than those 

necessary for control of intercarrier calls, are discarded, ^en such messages are detected, an 
alarm is sent to the SMS 22 with a detailed description. The SMS 22 displays an apipropriate 
alarm and logs the event 

When distributed dynamic routing protocol(s), such as PNNI, are implemented in the y : ^.H-iSk 
15 local carrier's networks, the routing domain is restricted to the lpcd carrier's networks only. 
Consequently, routing information is^n^^ distributed to non-ibcal csW^ Moreover, 
inter-network routing is provisioned statically. 

Broad categories of ATM security services are discussed below. 

Table 2 lists arid briefly describes four major categories of security services. For moire 
20 details abbut each of the four major categories, refer to The ATM Forum Technical Committee, 
"ATM Security Specification, Version 1.0" AF-SEC-0 100.001, February, 1999, the disclosure 
of which is expressly incorporated herein by reference in its entirety. 
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Category of Security 
Service : 


Approach/Comments 


Type of Threat Service 
Guards Against 


: Entity Authentication 


Refers to procedures that "bootstrap" the security infrastructure (e.g., use of 
cryptographic algorithms to enable secure initial exchange of keys between 
security agents). 


f"!on H **n fi a 1 J Hr 
.- v^ULLLiUwllllailly • 


Payload only encryption of ATM cells using 
symmetric (secret key) algorithms. This 
service; functions at the' ATM layer. 


Unauthorized disclosure of 
data transported via ATM . 
cells; :: ' "" ' : 


Integrity 


Append cryptographic ' signature to each AAL 
service data unit (SDU). Note: This only 
applies to AAL 3/4 and/or AAL 5. This 
service functions between AAL endpbints. 
There are two distinct subcategories: 


Detect modification of: 


with repky/reordering 
protection 


A sequence number is appended to the AAL 
service data unit (SDU) and the resulting bit 
string, in its entirety, is fed to the dgorithm that 
computes the signature. 


Data values or sequences of V 
data values. In particular, \ 
this mechanism seeks to ■;. 
detect. when a message has 
been maliciously duplicated 
and replayed. It also seeks 
to detect when a message 
has been altered 


- without 
replay/reordering 
protection 


. The (unaltered) AAL service data unit (SDU) 
is the input to the crypto-signature algorithm. 


Data values; only. This 
mechanism seeks to detect . 
when a message has been 
altered. This mechanism 
: may be used if sequencing 
information need not be 
protected or (as in the case , 
of TCP/IP) sequencing 
information is already 
present in the AAL service 
data unit (SDU). 


Access Control 


Refers to application of a set of rules to 
requests for service. In the case of Closed User 
Groups, mese rules are based on source and/or 
destination user identities. 


Origination of ATM 
signaling messages (e.g., 
UNI SETUP, RELEASE) \ 
by unauthorized parties,, 
when these messages are 
targeted at VTOA network 
elements. 



TABLE 2 

It is noted &at confidentiality and integrity services are based on cryptographic 
algorithms Thus, the services are costly in (at least) two wiays: 

; : 1. Before crj^tbgraphy-prptected tr^ismissions between endpoint security agents can 
take place, secure initial key exchange (see "authentication" in Table 1) must be completed. 
Thus, administrative costs are associated with managing cryptographic keys. 
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2. The cryptographic algorithms themselves exact a performance toll. 

Beqause of the attendant atoinistrative and performance costs, confidentiality and 
integrity services are not included in the baseline embodiment. These costs must be weighed 
carefully in consideration of alternate cmbbdimaits in which th^ network switches 
5 iritercairier (IXC) traffic, and/or the VTOA traffic is carried by a multi-service ATM network, 
and/or signaling between CS-IWFs and T-IWFs is standards based. • 

A priority ordering for types of traffic that may require authentication, integrity and/or 
confidentiality services is how discussed. As stated above, integrity services append 
cryptographic signatures to AAL 5 service datta units. Cbr£dentiality services perform payload- 
10 only encryption/decryption of ATM cells. Authentication services perform secure key 
exchanges, which are necessary to bootstrap confidentiality and integrity services. 

It is noted that the closed user group requirements, discussed above, are designed to 
defeat all attempts by unauthorized parties to establish switched connections with VTOA 
network elements. Thus, closed user groups provide a baselevel of protection to VTOA traffic 
. • 15 ■■■ • ';■ that traverses the ATM netwprk. : 

For bearer ATM connections^ no additional security requirements are contemplated, in 
addition to the base level requirements. That is, integrity services are not applicable to bearer 
traffic because integrity services are restricted to traffic adapted by AAL 3/4 or AAL 5; Bearer 
traffic employs AAL1 or AAL2 in the VTOA system. Gonfidmtiaiity services are not 
20 contemplated for bearer traffic because the performance toll of cryptographic algorithms would 
be too great. 

The foUowing discussip assumes that the ATM switches that make up the fabric of the 
distributed tandem are separate network elements from those elements implementing the T^IWF 
and CS-IWF functions. 

25 Authentication is applicable to key exchanges for setup of confidentiality and integrity 

services. The service should be employed to support the confidentiality and integrity services. 
It is implemented based on cryptographic algorithms. 

The confidentiality service is enqrioyed for commands and data that could cause a VTOA 
or ATM network element to go out of service or drop a large number of calls. Multicamer 

30 VTOA deployments precipitate the need for the confidentiality service. Multi-service 
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. deployments iray trigger the need for the service. The service is implemented in the SMS 22, 
the CS-TWF 12 and in the T-IWF 10, arid is transparent to the ATM network 14. 

Control traffic exchanged between CS-IWF 12 and T-IWF 10 components or among 
other remote portions of the CS-IWF 12 whenever the traffic is earned across the ATM network . 
5 14 should also be protected by the confidentiality service. StandCards based signaling between 
the CS-IWF 12 and the T-IWF 10 in; multicarrier enytoiiments trigger this requirement. In 
addition, networks placing calls with ATM in-band signaling in multicarrier environments trigger 
this requirement. The service is implemented in the CS-IWF 12 and the T-IWF 10, and is 
transparent to the ATM network 14. 
10 The integrity service is also employed for commands and data that could cause a VTOA 

or ATM network element to go out of service or drop a large number of calls. Multicarrier 
VTOA deployments precipitate the need for the integrity service, Multi-service deployments 
may trigger the need for the service. The service is implemented in the SMS 22; the CS-IWF 12 
and in the T-IWF 10, and is transparent to the ATM network 14. 
15 Control traffic exchanged between CS-IWF 12 and T-IWF 10 components or among 

other remote portions of the CS-IWF 12 whenever the traffic is earned a^oss the ATM network 
14 should also be protected by the integrity service. Standards based signaling between the CS- 
IWF 12 and the T-IWF 10 in multicarrier environments trigger this requirement. In addition, 
i; networks placing calls with ATM in-band signaling in multicarrier environments trigger this 
20 . requirement The service is implemented in the CS-IWF 12 and the T-IWF 10, and is transparent : 
to the ATM network 14. 

The following requirements use the terminology presented above. In determining 
whether these requirements will be put in force, operatic 
security services should be assessed. 
25 For OA&M traffic which could cause a VTOA or ATM network element to go out of ; 

. : service, br to drop a large number of calls, confidentiality and integrity services are implemented 
and enableki: For control traffic exchanged between CS-IWF and T-IWF devices, or between CS- 
rWTcompon^ 

. in a midti-service network, it may be desirable to d^loy network elements that combine 
30 VTOA and noh-VTOA functions. For example, referring back to Figure 4, elements A.1. T and 
A.2.2 may be a single piece of equipment, attached to ATM switch A via a single physical link. 
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In this case, virtual UNIs can (and should) be used to establish a logical separation between the 
functions associated with A. 1.1 and 

That is, VTOA network elements and non-VTOA network elements are never connected 
to the same UNI. In the case when a VTOA network element is also an ATM-network access 
5 point for non-VTOA service(s), these service(s) can be offered via a distinct "non-VTOA" virtual 
UNI. The virtual UNI provides a secure way to segregate VTOA from other services in the case 
that VTOA and non-VTOA access are not always physically separate (by making certain that no 
member of a VTOA closed user group has an address prefix matching that of any non-VTOA 
UNI). An example of a VTOA network element providing non-VTOA services is an edge device 
10 that processes frame relay or native ATM communications 

The ATM EMS 26 generates logs of significant security events. EMS eveait logging and 
auditing capabilities are now described. The security events are categorized according to 
granularity. Baseline capabilities include logging the identities of all user who have logged on, 
and all applications that were executed. In addition, the identities of the network elements that 
15 were accessed should be logged. An highly desirable enhanced capabilities is logging which 
commands were executed and which data/parameters were supplied by the user when the 
: cprnmands were invoked. 

The ATM vendor may incorporate the capabilities of the baseline embodiment into the 
ATM EMS.; The basic types of information are necessary for effective auditing, which is an 
20 : integral part of any security policy. In another embodiment, requirements for the development 
of filtering and alanning features to assist in auditing are satisfied. \ 
■ The items ^ are not necessarily security infonnatibn 

\^ It is noted, however, that data collection capacities at 

this increased level of granularity are important from an operations point of view (e.g. for 
25 reconslracting a chain of events). 

In another embodiment, the ATM EMS 26 maintains a list of all active user identities and 
collects security log infomiation (including user ID, application(s) executed, and network 
elements accessed) to idratify security breaches or theft of customer services. Each recorded 
; security event is accompanied by a time stamp. 
30 The ATM EMS 2 6 constantly reviews security log information, filters redundant 

- info and, when appropriate, generates security alarms and recommended courses of 
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action, including automatic (or scheduled) virus checks. In addition, the ATM EMS 26 supports 
administrator definable parameters for filtering security log information and generating different 
types and severities of security alarms. 

: According to the present invention, ATM-specific security requirements for VTO A are 
5 defined, to the baseline embodiment, it is assumed that ATM deployments include dedicated 
: ATM networks, and intCTcarri converted to TDM for handbff to other carriers. Iii 

alternative embodiments, for example, when multiservice, multi-carrier VTOA deployments :: : : 
• exist, additional requirements are set forth. -. 

Although the invention has been described with reference to several exemplary .' 
10 embodiments, it is understood that the words that have been used are words of description and 
illustration, rather than words of limitation. Changes may be made within the purview of the 
appended claims, as presently stated and as amended, without departing from the scope and spirit 
of the invention in its aspects. Although the invention has been described with reference to 
particular means, materials and embodiments, the invention is not intended to be limited to the 
15 particulars disclosed; rather, the invention extends to all functionally equivalent structures, : : 
v methods, and uses such as are within the scope of the appended claims. 

In accordance with various embodiments of the present invention, the methods 
described herein are intended for operation as software programs running on 
a computer jxo^sor ,■ including switches, etc. Dedicated hardware implementations including, 
20 but not limited to, application specific integrated circuits, programmable logic arrays and other 
/J.' hardware devices can likewise be constructed to implement 

the methods described herein. It should also be noted that the software 
implementations; of the present invention can be stored on a tangible storage 
medium such as a magnetic or optical disk, read-only memory or random access 
25 memory and be produced as an article of manufacture. 

Although the present specification describes components and^^ 
the embodiments with reference to particular standards and protocols* thfe invention is not limited 
: to such standards and protocols . Each of the standards for ATM and other packet-switched 
network transit PNNI, UNT); ATM standards promulgated by the ATM Forum, 

30 as referred to herein, and public telephone networks (ISDN, ATM, xDSL) similarly represent . 
examples of the state of the art. Such standards are periodically superseded by fester or more 
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efficient equivalents having essentially the same functions. Accordingly, replacement standards 
and protocols having the same functions are considered equivalents. 
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WHAT IS CLAIMED IS : 

1. A telecoxnmuciicatibns network that carries control traffic and bearer triaflfic via 
ATM communications channels and TDM communications channels, the telecommunications 
network comprising: 

a plurality of ATM switches and an ATM element management sys tan that manages an 
ATM switching network fonned by the plurality of ATM switches • 

at least one closed user group consisting of a pl^^ity of closed user group members 
constituting: a plurality of tn^ devices configured to receive 

end office voice trunks from TDM channels and convert the trunks to ATM cell streams and to 
receive ATM cell streams and convert the ATM cell streams to end office voice trunks; at ieast 
one centralized control and signaling interworking function (CS-IWF) device that performs call 
control functions arid interfaces narrowband and broadband signaling for call processing and 
control within the ATM switching network; and a VTOA switch management system (SMS); and 

a plurality of end office switches that communicate with the plurality of trunk 
interworking function (T-IWF) devices and the at least one centralized control and signaling 
interworking function (CS-IWF) device via TDM <x>mmumcations channels; 

wherein the closed user group iriembers are restricted to communicating solely with other 
closed user group members when coinmunicating to each other via the ATM switching network. 

2; 

and signaling access requests to traditional voice network elements, including the plurality of end 
office switches, that are received through the ATM switching network, 

3 . ■ The network of claim 2, wherein wheri the control and signaling access request 
is denied, an alarm is sent to the SMS. 

4. The network of claim 1, wherein traffic between element management systems 
and operations support system is nbt carried through the ATM switching network. 

5. The network of claim 1, wherein each closed user group member is associated 
with a UNI (user-network-interface). 

6. The network of claim 5 in which no closed user group member has any default 
identifier, address, or route provisioned. 

7. The network of claim 5 in which the UNI further comprises a network prefix of 
an ATM end system address (AESA). 
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8. The network of claim 5, further comprising a virtual UNI assigned to a selected 
closed user grbiip i-membef' when the selected closed user group member comprises an ATM 
network access point for non-VTOA services. 

9. The network of claim 1 in which the ATM element management system 
establishes, assigns and maintains all closed user group data. 

10. The network of claim 1, wherein per virt^ 

control and signaling virtual channels and on virtual channels carrying user data. :.. 

11. : The network of claim 1 ih which operations^ administration and maintenance 
(OA&M) traffic between traditional voice network elements does not travel through the ATM 
switching network. 

12. The network of claim 1, wherein control and signaling traffic does not travel . 
through the ATM switching network. 

13. The network of claim 1 , wherein a call setup request comprises at least one closed 
user group information element appended thereto. 

14. The network of claim 1 in which each closed user group member further 
: comprises confijguration information comprising an outgoing access parameter, an incoming 

access parameter/ an incoming call barred parameter and an outgoing call barred parameter, 

15. The network of claim 1, wherein the ATM element management system stores 
a list identifying foreign CS-lW^ and- --M".- 

wherein messages from foreign CS-IWFs in other networks not in the list are discarded. 

16. The network of claim 15, wherein information regarding the local carrier network 
does not promulgate beyond local carrier network boundaries. 

17. The network of claim 1 in which confidentiality services are employed for 
command traffic and data traffic carried across the ATM switching network. 

18. The network Of claim 1 in which confidentiality services are employed for control 
traffic exchanged between the at least one CS-JWF device and the T-IWF devices via the ATM 
network switching network. 

19. The network of claim 1 in which integrity services are employed for command 
traffic and data traffic carried across the ATM switching network. 
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20. The network of claim 1 in which integrity; services & eni^lpyed for control traffic 
exchanged between the at least one CS-IWF device and the T^IWF devices via the ATM 
switching network. 

21. A method for controlling bearer traffic and control tr^c traveling through ATM 
communication channels and TDM communication channels; in a communications network 
comprising at least one closed user group consisting of a plurality of to 

(T-IWF) devices that receive end office voice trunks from TDM channels and convert the trunks 
to ATM cell streams and receive ATM cell streams and convert the ATM cell streams to end 
office voice trunks; at least one centralized control and signaling mterworking Action (CS- 
IWF) device that performs call control functions and interfaces narrowband and broadband 
signaling for call processing and control within the ATM switching network; and a VTOA switch 
management system (SMS); the netwbrk fiirther comprising a plurality of AlM switches and an 
ATM element management system that manages an ATM switchihg network formed by the 
plurality of ATM switches, the method comprising: 

transmitting signals via the ATM switching network between closed user group members; : 
and " V 

rejecting signals received via the ATM switching network that originate from non-closed 
user group members. 

22. The method of claim 21, further comprising denying all (control and signaling 
access requests to traditional voice network element* that are received through the ATM 
switching network. 

23 . The method of claim 22, in which the denying fiirther comprises sending an alarm . 
to the SMS. 

24. The method of claim 21, further comprising excluding traffic between element 
management systems and operation support systems from the ATM switching network. 

25. The method of claim 21, further comprising associating each closed user group 
member with a UNI (user-network-interface). 

26. The method of claim 25, in which no closed user group member has any ddfSult 
identifier, address, or route. 

27. The method of claim 25, in which the UNI fiirther conqmses a network prefix of 
an ATM end system address (AESA). 
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28. The method of claim 25, in which the further comprising a virtual UNI to a 
selected closed user group member when the selected closed user group member comprises an 
ATM network access point for non-VTOA services. 

29. The method of claim 21, further comprising policing per virtual channel traffic 
5 on control and signaling virtual channels and on virtual channels carrying user data. 

30. The method of claim 21, further comprising excluding operations, administration 
and maintenance QAM traffic between traditional voice network elements from the ATM 
switching network. 

31. The method of claim 21, further comprising excluding control and signaling 
10 traffic from the ATM switching network. 

32. The method of claim 2 1, further comprising storing a Ust identifying foreign CS- 
IWFs from other networks in the ATM element management system and discarding messages 
received from foreign CS-IWFs from networks not in the list. 

33. The iaielhod of clam 21, wherein a setup request comprises at least one closed 
15 user group information element appended thereto. 

34. The method of cliaim 21 further comprising associate information 
with each closed user group member, the configuration information comprising an outgoing ' 
access parameter^ an incoming access parameter, an incoming call barred parameter and an 
outgoing call barred parameter. 

20 • 35. The method of claim 21, further comprising employing confidentiality services 

for command traffic and datai traffic carried across the ATM switching network. 

36. : The method of claim 21, further comprising employing confidentiality services 

for control traffic exchanged between the at least one CS-IWF device and the T-IWF devices via 

the ATM switching network. 
25 37. The method of claim 21, further comprising employing integrity services for 

command traffic arid (lata traffic carried across the ATM switching network. 

38. The method of claim 21j further Comprising employing integrity services for 

control traffic exchanged between the at least one CS-IWF device iarid the T-IWF devices via the 

ATM switching network. 

30 • " " : ' " . " " : . 
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